Showing your fingers in peace signs, high fives, or the like in photos posted online could lead to criminals stealing your fingerprints.
Japanese researchers from Japan’s National Institute of Informatics (NII) made such a claim in a paper published in 2017, but, in fact, the general problem has been known for many years, and received widespread attention in 2014 after a hacker copied a German minister’s prints from high resolution photos of her, including one publicly available from a German government press office.
The NII researchers were able to copy fingerprints based on photos taken by a digital camera less than ten feet away from the subject – improving technology, and the proliferation of high-resolution cameras to pretty much every smartphone, will only make the problem worse with time.
So… What should you do? And what is the lesson?
The most important lesson is simple:
Fingerprints are, with several notable exceptions, not an appropriate way to authenticate people. Avoid using fingerprint authentication.
I bolded the previous two sentences because they are both critically important and state the opposite of what many people have been taught to believe.
Think about your own fingerprints: Every day, you leave your fingerprints in thousands of publicly-accessible places from which anyone, including criminals, can easily lift them – would you trust a password to secure anything if you wrote it on a thousand Post-It notes and left the notes all over your office, home, car, gym, and in restaurants, on buses, etc.? In some regards, fingerprints are even worse than weak passwords – you can reset a password after it is stolen, can you reset your fingerprints?
Teenagers posting peace sign selfies on social media may never be able to reliably secure anything with the fingers that they have shown the world. As, Robert Capps, VP of Business Development at NuData Security put it, “Once biometric data is stolen and resold on the Dark Web, the risk of inappropriate access to a user’s accounts and identity will persist for that person’s lifetime.”
Fingerprint authentication suffers from other problems as well, and I have, since before the iPhone fingerprint sensor was first released, argued against the use of fingerprints for smartphone unlocking. If you are using fingerprint authentication on your phone I strongly suggest that you read my articles on the subject, including Why You Should Not Use Smartphone Fingerprint Readers; understand the risks and decide for yourself.
That said, because some firms still seem intent on trusting fingerprints as a mechanism of authenticating people – and because law enforcement agencies will still question the owner of a particular fingerprint if it is found at the scene of a crime — it may be wise to refrain from showing prints in photos. That may not always be possible, and law enforcement agencies will ultimately need to confront a new reality vis-à-vis how easy it is becoming to obtain and plant someone’s prints at the scene of a crime. Three-dimensional fingerprint imaging may help in some cases – but, the ability for criminals to extrapolate 3-dimensional images from 2-dimensional data, may, at times, still be a problem.
In any case, if you do need to utilize fingerprint authentication for some reason – consider using a finger less likely to be seen in photos (the print on your pinky, for example, is not normally seen when making a peace sign). But, don’t rely on any fingerprint not being known – you may not remember being in a group photograph of everyone waving, but, if such a photo exists, criminals will find it if they want it.